Some merchants still believe that their Point-of-Sale (POS) vendor provides all the security they need to be Payment Card Industry (PCI) compliant. That would be an incorrect assumption.
A POS vendor is required to be Payment Application (PA-DSS) compliant, but that does not equate to PCI Data Security Standards (DSS) compliance. The commonality here is both require compliance year after year. PCI DSS stresses ongoing compliance, not just a point in time compliance.
Requirement PCI 11.2.1.b questions, “Does the quarterly internal scan process include re-scans as needed until all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved?” and 11.2.1.c states, “Are quarterly internal scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?”[1]
The short and clear answer is, an internal vulnerability scan identifies real and potential vulnerabilities inside a business’s network.
The reality here is, most IT staff however big or small a business spend their time dealing with regular day-to-day issues and putting out fires. They do not have the time to look into internal vulnerabilities or deal with PCI requirements. Here’s where you will see the value of a managed security services provider like Omega ATC.
Omega’s break-through solution, the Omega Appliance provides internal vulnerability scanning, log parsing, and monitoring, all of which satisfy some of the toughest PCI DSS requirements for a merchant to achieve.
To get more information or schedule a test of the Omega Appliance, get in touch with Omega.
In summary:
[1] https://www.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.pdf
